On Sat, 2013-10-26 at 22:22 +0200, Christoph Langbein
wrote:> Hello,
> how do I export a keytab with AES ?
> If I use:
> samba-tool domain exportkeytab /tmp/dns1.keytab
> --principal=DNS/dc1.test.local
>
> I only get
>
> Keytab name: FILE:/tmp/dns1.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (des-cbc-crc)
> 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (des-cbc-md5)
> 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (arcfour-hmac)
>
>
> If I use the samba generated dns.keytab I have all supported types.
> How to export the keytab the same way when samba is provisioned ?
That command should do it, it exports the same encryption types that the
KDC exposes (it loads the KDC database library). My guess is that your
domain wasn't provisioned with the right functional level, or we didn't
set the right flags on that account.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org